Oracle Blog

Web-Notizen von Stefan Hinker

T4 Crypto Cheat Sheet

In an earlier post, I already mentioned what's needed to make use of T4 crypto acceleration for Oracle TDE. This hasn't changed - the patch for Solaris 10 is still under development. However, there are of course other usecases for hardware crypto on T4. Since the code path to this functionality has changed considerably from earlier CPUs, there have also been some changes in how it's used and observed. Here's a short summary of these changes.

Using it:

Feature / Software consumer

T3 and before*

T4 / Solaris 10

T4 / Solaris 11

SSH

Automatically enabled with Solaris 10 5/09 and later.

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

Requires patch 147707-01

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

Automatically enabled.

Disable/Enable with "UseOpenSSLEngine" clause in /etc/ssh/sshd_config

Java / JCE

Automatically enabled.

Configure in $JAVA_HOME/jre/lib/security/java.security

Automatically enabled.

Configure in $JAVA_HOME/jre/lib/security/java.security

Automatically enabled.

Configure in $JAVA_HOME/jre/lib/security/java.security

ZFS Crypto

Not available

Not available

HW crypto automatically enabled if dataset encrypted.

IPsec

Automatically enabled.

Automatically enabled.

Automatically enabled.

OpenSSL

Use "-engine pkcs11"

Requires patch 147707-01

Use "-engine pkcs11"

The engine "t4" is automatically used. Optionally use "-engine pkcs11".

pkcs11 recommended for RSA/DSA at this time.

KSSL (Kernel SSL proxy)

Automatically enabled.

Automatically enabled.

Automatically enabled.

Oracle TDE

Not supported

Pending patch

Automatically enabled with Oracle DB 11.2.0.3 and ASO

Apache SSL

Configure with "SSLCryptoDevice pkcs11"

Configure with "SSLCryptoDevice pkcs11"

Configure with "SSLCryptoDevice pkcs11"

Logical Domains

Assign crypto units to domains.

Functionality always available, no configuration required.

Functionality always available, no configuration required.

* T1 CPUs do not support symetric ciphers like AES. Consumers like SSH will therefore use software crypto on T1.

Observability:

Note that unlike T3 and before, T4 crypto doesn't require kernel modules like ncp or n2cp, there is no visibility of crypto hardware with kstats or cryptoadm.

T4 does provide hardware counters for crypto operations. You can see these using cpustat:

cpustat -c pic0=Instr_FGU_crypto 5

You can check the availability of the openssl engine with the command "openssl engine", and the general crypto support of the hardware and OS with the command "isainfo -v".

Since T4 crypto's implementation now allows direct userland access, there are no "crypto units" visible to cryptoadm. For the same reason, there are no "crypto units" visible in LDoms Manager. In LDoms, the functionality is always available and does not need to be configured separately. Note that you should have the latest LDoms Manager Patch 147507 installed.

In general, access to crypto accelleration with T1, T2 and T2+ CPUs works just like with T3. Of course, they don't all support the same range of algorithms. Especially T1 doesn't support any of the symetric ciphers like AES.

As we looked at the T3 crypto few months ago, it was'nt straight forward as we originally though as the devil was in the details. If we look into Web/App server SSL scenarios,it becomes necessary that the Solaris metaslot need to have those crypto mechanisms/algorithms enabled and also the Web/App server need to enforce and negotiate with T3 crypto supported SSL cipher suite. The Java/JCE is ignorant to all these underpinnings. KSSL is not helpful as it wont work with Oracle's own Web/App servers, check it out.

Cryptography, unfortunately, isn't always as simple as one would hope. Several pieces of a puzzle have to fit for the whole picture to shine. However, in my experience, many configurations do work. Please contact me directly if you need assistance with one of your setups.